Northwestern Mutual VDP

Welcome!

For 160 years, we've helped our clients achieve financial security by building lifelong relationships to help them create and carry out their financial plans. Spend Your Life Living.

The security and privacy of clients' confidential information are important to Northwestern Mutual. The company takes its responsibility to protect this information seriously and uses technical, administrative, and physical controls to safeguard its data.

We want to hear from security researchers (“You” or “Your”) who have information related to suspected security vulnerabilities of any Northwestern Mutual services exposed to the internet.

---

Submitting a Report

You will need to create a Bugcrowd account to report vulnerabilities.

The report should include sufficient information to permit Bugcrowd and Northwestern Mutual to validate and reproduce the issue.

---

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Note - This program does not provide monetary rewards.

---

What We Expect of You

By submitting Your report to us:

• You agree not to publicly disclose the Vulnerability until Northwestern Mutual agrees to a public disclosure
• You represent the report is original to You and that You did not copy the report or any part of it from another third party
• You allow Northwestern Mutual and its subsidiaries the unconditional ability to use, distribute, and/or disclose information provided in Your report
• You agree to not perform any of the “Out of Scope” activities listed below and will stay within the approved Scope.

---

What to Expect of Us

If You identify a Vulnerability in accordance with this Policy, Northwestern Mutual commits to working with You to understand, validate, and address the Vulnerability appropriately per the assessed risk.

---

Out of Scope Activities and Vulnerabilities

Out of Scope Activities:

• Taking any action that will negatively affect Northwestern Mutual, its subsidiaries or agents
• Any communication (verbal, written, or otherwise) with anyone affiliated with or working for Northwestern Mutual (including Financial Representatives and Network Offices) is strictly prohibited (No Social engineering. Communication with the program owners in the Bugcrowd platform is fine).
• Destruction or corruption of data, information, or infrastructure, including any attempts to do so
• Discovery dependent on social engineering techniques of any kind
• Any exploitation actions, including accessing or attempting to access Northwestern Mutual data or information, beyond what is required for the initial "Proof of Vulnerability". For the avoidance of doubt, this means your actions to obtain and then evidence the Proof of Vulnerability must stop immediately after initial access to data or a system.
• Attacks on third-party services
• Denial of Service attacks (DoS) or Distributed Denial of Services (DDoS) attacks
• Any attempt to gain physical access to Northwestern Mutual property or data centers is strictly prohibited
• Use of assets that You do not own or are not authorized or licensed to use when discovering a Vulnerability
• Violation of any laws or agreements while discovering or reporting any Vulnerability

Out of Scope Vulnerabilities

• Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit
• Third-party applications, websites, or services that integrate with or link to Northwestern Mutual
• Discovery of any in-use service (vulnerable 3rd-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact

---